The changing threat landscape has brought about more sophisticated Web threats and left the online population clamoring for better security features in the systems and applications that they use. This has pushed Microsoft to develop security mechanisms within its applications like Windows’Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR).

Both DEP and ASLR are security mechanisms that Microsoft included in its latest Windows releases starting with XP SP2 and Vista, respectively, which should ideally protect systems from being attacked by exploit codes. DEP prevents the execution of code (including malicious shellcode) from certain regions of computer memory (nonexecutable). ASLR, on the other hand, randomizes the layout of regions (data areas) in memory to make guessing the exact location more difficult. But what if these security mechanisms are not so secure after all?

This is what Berend-Jan Wever aka Skylined (the security researcher responsible for disclosing the heap-spraying technique) came to discover as he reported a new exploit technique that bypasses DEP if the ASLR feature is disabled. In Wever’s full disclosure of the exploit, he discusses the method on how to go around DEP and ASLR using return-to-libc attacks wherein an attacker uses existing code (of the applications being exploited or of the library functions) to carry out the attack rather than run his/her own code.

Possibilities Explored

Although these features make it more difficult to launch code execution on a system, these mechanisms are not perfect and can be bypassed, as revealed in Wever’s exploit codes. This exploit may take advantage of an already fixed vulnerability in Internet Explorer (IE) but this new technique may pave the way for new exploits that can defeat DEP.

As Trend Micro researcher Rajiv Motwani puts it, “History could repeat itself. After Wever released his heap-spraying exploit codes in 2005, a lot of new exploits started using that technique. It would thus be not farfetched that the release of this new POC could lead to the same scenario—new exploits could start using return-to-libc to achieve DEP bypass.”

Furthermore, because the exploit affects DEP, which Microsoft only recently introduced with Windows XP SP2, and ASLR was only enabled by default from Windows Vista onward, we can expect to see more reliable code execution vulnerabilities on new versions of Windows.

Thoughts on Public Disclosure

Given the increasing number of POCs that have gone public, there seems to be a need to give responsible disclosure considerable thought. Trend Micro global director for education David Perry notes that there seems to be a lot of disclosure rather than response on the exploit. Public disclosures currently act as double-edged swords that both contribute and complicate the threat landscape.

On one hand, disclosures raise public awareness and push developers to act quickly. On the other hand, however, putting such critical information in the hands of the public could lead to significant exploits, as we recently saw with the most recent zero-day IE vulnerability.

While actual exploits of this vulnerability have yet to be seen in the wild, Trend Micro Deep Security™ already shields users from potential future exploits. Trend Micro OfficeScan™users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with the latest IDF filters.

Additional text by Ria Rivera

Share this article

This entry was posted
on
Wednesday, March 3rd, 2010
at
2:54 am and is filed under
Exploits .
Both comments and pings are currently closed.